A US District Judge in Maine largely granted a motion to dismiss brought by Hannaford in a big data breach case:

A customers uses a credit or debit card to buy groceries. A third party steals the electronic payment data from the grocer. Can the customer them recover from the grocer any loss resulting from third-party data theft?

Short answer - only if there is actual identity theft or unauthorized charges (which are not covered by the credit card company). Access the order here [PDF]. H/t Threat Level.)

Background: According to the court, around March 2008, third parties stole up to 4.2 million debit and credit card numbers, expiration dates, security codes, PIN numbers, and other information relating to cardholders “who had used debit cards and credit cards to transact purchases at supermarkets owned or operated by Hannaford.” Visa notified Hannaford in late February 2008. Hannaford discovered the actual breach on March 8, 2008, notified financial institutions on March 10, and the public on March 17.

The Court’s Ruling: The court runs through numerous different bases for recovery, ranging from breach of implied contract to implied warranty, breach of duty of confidentiality, strict liability, and negligence. The key conclusion starts on page 30 of the court’s 39 page order when the court talks about whether plaintiffs have suffered any cognizable injuries. Here the court splits the plaintiffs up into categories. The first category consists of plaintiffs who have not had any fraudulent charges posted on their accounts. They are out of luck. (Footnote 128 contains a nice listing of recent data breach cases which arrive at the same conclusion—no out of pocket loss >> no recovery.) Not surprisingly, the court concludes that emotional damages are not recoverable in this context. The second category consists of plaintiffs who have had fraudulent charges that have not been reversed or reimbursed. These plaintiffs may recover. The third category consists of plaintiffs who had fraudulent charges which were ultimately reversed. These plaintiffs tried to argue that they had suffered damages in addition to the unauthorized charges (rewards points, time spent tracking down the banks, overdraft charges, and the cost of identity theft insurance). These plaintiffs are out of luck. Somewhat surprisingly, the court rules that overdraft charges arising from a data breach are not “reasonably foreseeable at the time of the point-of-sale transaction.” Finally, the court also denies the request for injunctive relief which sought more precise disclosure of the data that was compromised.

Thoughts: A largely expected result, given the slew of cases in the past few years which hold that data breach plaintiffs cannot recover absent actual loss. (The cases all look to state law, although they are in federal court due to diversity or Class Action Fairness Act jurisdiction.) Maine has a data breach notification statute in place, but plaintiffs did not allege that Hannaford violated this statute (and the statute did not seem to allow for a private cause of action anyway). There wasn’t much discussion of free credit report monitoring. It’s unclear from an initial read as to whether Hannaford offered this or whether plaintiffs requested it. (The court does expressly reject increased identity theft insurance premiums as a category of compensable damages.) At the end of the decision the court speculates, but “make[s] no judgment on whether the Maine Legislature or Congress should act to provide more protection for consumers.” Finally, in a footnote, the court notes that it’s unclear at this point whether plaintiffs can satisfy the jurisdictional requirements for the class action fairness act.

Reg Z?: I’m surprised about one thing. I didn’t see much discussion of the rules (I think known as “Reg Z”) which govern when credit card companies are required to reverse unauthorized charges. These rules speak to when customers can initiate “charge backs” and how card issuers and merchants should deal with customer chargebacks. (They actually set limits on when customers can be held liable for unauthorized charges.) They would have some bearing—I would think—on whether the customer bears the loss of unauthorized transactions and whether card companies have to eat the loss?

Either way, expect this decision to add fuel to the data breach legislation fire.